The U.S. Federal Trade Commission has weighed in on the contentious issue of the proposed sale of consumer data by bankrupt retailer RadioShack, recommending that a model be adopted based on a settlement the agency reached with a failed online toy retailer.

The state of Texas, which is leading action by several U.S. states, has opposed the sale of personally identifiable information by RadioShack, citing the online and in-store privacy policies of the bankrupt consumer electronics retailer.

Apple and some wireless carriers have opposed the sale of some of the customer data, which it said was collected from their respective customers and was governed by their privacy policies.

In a letter Saturday to a court-appointed consumer privacy ombudsman, Jessica L. Rich, director of the FTC’s bureau of consumer protection, has said that the agency’s concerns about the transfer of customer information inconsistent with RadioShack’s privacy promises “would be greatly diminished” if certain conditions were met, including that the data was not sold standalone, and if the buyer is engaged in substantially the same lines of business as RadioShack, and expressly agrees to be bound by and adhere to the privacy policies.

Rich said that the proposal being made was in line with the settlement FTC reached in 2000 with Toysmart.com, a failed online retailer of toys.

The FTC has said that alternatively RadioShack would have to take permission from customers to transfer their data. Information of customers who do not agree would have to be purged.

In her report, ombudsman Elise S. Frejka, has recommended the sale of the personal data under conditions similar to those recommended by the FTC, with some additional provisions. The data from the wireless operators and specific mobility products is to be scrubbed.

In the first round of sale, RadioShack sold about 1,700 stores to General Wireless an affiliate of hedge fund Standard General, which entered into an agreement to set up 1,435 of these as co-branded stores with wireless operator Sprint. Some other assets were also sold in the auction.

The company asked a bankruptcy court for approval for a second auction of its assets, which included the consumer data. On May 11, RadioShack selected General Wireless as the highest and best bidder for the remaining assets, including the customer data.

RadioShack has said that credit card numbers, debit card numbers, and transaction data that are not typically found on a standard sales receipt will not be sold. Up for sale are a “contact database,” consisting of about 8.5 million opt-in email addresses, of which approximately 3.1 million were active within the last 12 months, and a “customer database,” consisting of about 67 million customer names and physical mailing address files, of which approximately 11.9 million made a purchase in the last 12 months.

As a result of court-ordered mediation, the states, the highest bidder and RadioShack have reached an agreement in principle that will resolve many of the objections and concerns raised by the state attorneys general about the sale of the customer data, according to the ombudsman report. The settlement is subject to certain consents and approvals, which are expected by the close of business on Tuesday.

John Ribeiro covers outsourcing and general technology breaking news from India for The IDG News Service. Follow John on Twitter at @Johnribeiro. John’s e-mail address is john_ribeiro@idg.com

The FBI contends a cybersecurity researcher said he caused an airplane’s engine to climb after hacking its software, according to a court document.

The researcher, Chris Roberts, was questioned by the FBI on April 15 after he wrote a tweet that suggested he was probing aircraft systems on a United Airlines flight he took earlier that day.

The FBI interviewed him after he flew into Syracuse, New York, and seized his electronics. Two days later, the agency then filed an application for a search warrant to examine Roberts’ gear, which has been published in federal court records.

The application contains rich detail describing three of the agency’s interviews with Roberts, who is co-founder and CTO of the security company One World Labs in Colorado. He has not been charged with a crime, although United Airlines banned him from flying on its planes.

It is not clear when the incident involving the airplane’s engine occurred or if the plane might have been in danger as the result of it.

On Sunday, Roberts wrote on Twitter that “Over last five years my only interest has been to improve aircraft security…given the current situation I’ve been advised against saying much.” Roberts is being represented by Nate Cardozo, a staff attorney with the Electronic Frontier Foundation. Cardozo said Roberts was not available to comment beyond what he wrote on Twitter.

One of Roberts’ specialties is investigating security flaws in aircraft systems, which the U.S. government has warned could endanger flight safety if not configured correctly.

Regarding the engine incident, Special Agent Mark S. Hurley wrote in the warrant application that Roberts said he connected his laptop to the in-flight entertainment (IFE) system through the Seat Electronic Box (SEB), which is located under some passenger seats.

After hacking the IFE system, he gained access to other systems on the plane, Hurley wrote.

Roberts “stated that he then overwrote code on the airplane’s Thrust Management Computer while aboard a flight,” Hurley wrote. “He stated that he successfully commanded the system he had accessed to issue the ‘CLB’ or climb command.”

One of the airplane’s engines began to climb, “resulting in a lateral or sideways movement of the plane during one of these flights,” the warrant application said.

Hurley wrote that Roberts said he had compromised IFE systems 15 to 20 times from 2011 through 2014.

Roberts allegedly said he compromised IFE systems made by Thales and Panasonic with video monitors installed at the back of passenger seats, Hurley wrote.

Roberts’ problems started on April 15 when he wrote a tweet that suggested he was probing aircraft systems on a United Airlines flight from Denver to Chicago on a 737/800.

He continued flying that day from Chicago to Syracuse, New York. While en route, United Airlines’ Cyber Security Intelligence Department had seen his tweet, which referred to the EICAS system, or Engine Indication and Crew Alerting System.

According to the warrant application, an FBI special agent later examined the first-class cabin where Roberts flew on his way to Chicago. The SEBs under seats 2A and 3A showed signs of tampering.

“The SEB under 2A was damaged,” the document said. “The outer cover of the box was open approximately 1/2 inch, and one of the retaining screws was not seated and was exposed.”

Roberts told agents that he did not compromise the airplane’s network on the flight to Chicago, the warrant application said.

In February and March, the FBI had interviewed Roberts in which he allegedly also told agents he had hacked IFE systems on aircraft before.

Hurley wrote they seized his equipment in Syracuse because “it would endanger public safety to allow him to leave the Syracuse airport that evening with that equipment.”

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Mods! They’re a big part of what makes PC gaming so great. They’re an even bigger part of the Grand Theft Auto franchise’s success on PCs. But malicious no-goodniks out there have seized advantage of the current spotlight on GTA V to slip nasty keylogger malware into some of the mods available for the game–including the otherwise awesome-looking “Angry Planes” mod that made the rounds on the big gaming sites this week.

GTA Forums member aboutseven first noticed Angry Planes misbehaving, Kotaku reports. He became suspicious when he noticed an odd C# compiler program running in his system processes, sending and receiving data across the web. Further digging revealed a Fade.exe executable buried in his PC’s Temporary Files folder, keeping logs of his activity and altering the Windows registry to silently launch at system boot. Gulp.

Aboutseven eradicated Fade.exe from his system, but noticed it sprung back to life whenever he ran GTA V with mods installed. After a bit more trial and error, he pinpointed the Angry Planes mod as the culprit. Another mod dubbed “No Clip” was also found to contain the malware.

Why this matters: Bad guys always find a way to ruin a good thing. But this fiasco drives home an important point: Mods are software designed to run on your system, and you should religiously scan all software you download with anti-virus and anti-malware tools before you run them. Yes, even mods.

If you need some AV recommendations and don’t have a dime to spare on premium suites, PCWorld’s guide to building the ultimate free security suite can point you in the right direction.

The dangers of Angry planes

So what, exactly, does Fade.exe do? Fellow GTA Forums member ckck performed an analysis after also being infected by Angry Planes and claims the Trojan malware used his PC to participate in a DDoS attack against a Twitch game streamer. He also says he found the following modules active inside the malware:

• “Facebook spam/credential stealing module
• Twitch spam/credential stealing module
• Messenger.com spam/credential stealing module
• A Steam spamming module
• A Steam module that evaluates the items in your inventory and their value based on current market value
• A Keylogger module that logs individual button presses in an XML like format, it also includes information about context switches (switching from one app/window to another)
• A UDP flooding module
• There were others I hadn’t deciphered and didn’t see in action.”

Fortunately, GTA5-mods.com–one of the sites that hosted the malware-ridden mods as well as many, many more legit GTA V mods–promptly removed the offenders, issuing a public apology and explanation. If you’ve used Angry Planes or No Clip with GTA V, perform an anti-malware scan with one of the AV programs that detects the malicious file. Since the keylogger malware monitors Steam, Facebook, and Twitch, you’ll want to change your passwords for those services, as well. Heck, changing all your passwords would be the smartest idea.

Tails, a privacy and anonymity-focused Linux distribution most famously used by Edward Snowden, just released version 1.4.

This Debian-based system is designed to preserve your privacy and anonymity online, providing better protection than just using the Tor browser alone on a typical operating system. How effective is this concealment-centric operating system’s tools? Well, in 2012, vulnerabilities for Tails topped the NSA’s most-wanted list alongside Tor and TrueCrypt.

Let’s dig into Tails’ basic capabilities, as well as the new changes.

Why Edward Snowden (and others) choose Tails

Tails stands for “The Amnesiac Incognito Live System,” and it’s designed to be booted and run entirely from a disc, USB drive, or SD card. This ensures no traces of your activity are written to your PC’s hard drive. It also means any malware or other surveillance software running on a computer’s normal operating system–Windows, for example–won’t be involved with the Tails session.

Even if you’re using an untrusted computer, you can reboot it with Tails inserted. Boot up into Tails and you can now trust the computer much more, as you don’t have to worry about software running in the background snooping on you. It isn’t absolutely foolproof, however–in theory, malicious firmware on the PC’s hardware could be sitting in the background and snooping on you.

Tails includes the Tor Browser as well as the I2P anonymizing software. Unlike simply installing the Tor Browser on a typical computer, Tails is designed to route all communications possible over Tor and prevent applications from leaking traffic. The Tor enforcement document explains exactly how the underlying system is configured to force traffic through Tor. Not only does it force browser traffic through the Tor browser, it also routes other applications’ traffic over Tor, doing its best to prevent any anonymity-compromising traffic from leaking.

Along with Tor and I2P, Tails ships other privacy software. For example, Pidgin is preinstalled with the Off-the-Record plug-in for encrypted chatting. You’ll also find software like the KeePassX password manager, Electrum BitCoin wallet, and disk-wiping and encryption tools.

Not only does this make Tor much more foolproof and isolate anonymous Internet use from a computer’s normal operating system, all of the software you’ll need is preinstalled along with links to various help pages. It’s a single package you can keep on a USB drive in your pocket, so you don’t have to hunt down all the software and install it individually.

What’s new in Tails 1.4

The latest version of Tails upgrades the Tor Browser to version 4.5. This latest release offers a security slider for restricting browser features even further, potentially offering more security. When you connect to a website, the latest Tor Browser loads all that website’s resources through the same Tor circuit. While browsing a website, it keeps using that same Tor circuit. When you go to a different website, it uses a new Tor circuit. This prevents websites from connecting your website visits to you and ensures a website’s behavior won’t change as you’re viewing it.

The new default search engine is “Disconnect.” This search engine provides anonymized results from Google, and you won’t see the normal CAPTCHAs attempting to confirm you’re a human that you would if you were using Google through Tor. A command named Paperkey is also included, allowing you to print a backup of your OpenPGP secret keys to a piece of paper.

Aside from these changes, there are the usual ones you’d expect in a new version of a Linux distribution–version bumps to the Tor and I2P software, support for more printers, and better support for Vietnamese fonts in LibreOffice. Read the Tails 1.4 release notes for more details. If you’re actually planning on using Tails, be sure to read the about page and warnings before getting started.

At the end of June, merchants that accept payment cards have five new security requirements to comply with — and significant fines and other costs if they don’t.

The new rules are part of the new Payment Card Industry Data Security Standard. Here is some advice from Trustwave Holdings, a PCI compliance consulting firm.

1. Be sure to log customers out

Your customer is at a public kiosk at an airport and visits your site. Maybe they want to buy something, or check prices. The boarding announcement comes over the loudspeaker, they close out the browser, and run off to get on the plane.

[ ALSO:  PCI Shrugged: Debunking Criticisms of PCI DSS ]

Did you log them out? Or is their session still active — and available to whoever uses the kiosk next?

“This primarily affects merchants that develop their own applications,” said Don Brooks, a senior security engineer at Trustwave. “But if you have an application that you bought from a vendor, you need to call and make sure the vendor has taken care of this.”

You can outsource the responsibility, he said, but not the liability.

“If you’re working with a third party, make sure they’re doing the right things,” he said.

In a related authentication issue, a customer’s account needs to be locked after three to five attempts, to keep out hackers trying all possible passwords.

2. Unique credentials for all employees

PCI has long had a requirement that each employee has to have their own login credentials to sensitive systems.

That way, if something goes wrong, you at least know who was responsible.

Now, this requirement extends to third-party providers, as well.

Not only must each employee have their own user account, but they need to have different user accounts for each customer they work with.

“Otherwise, if someone can figure out how to break into one, they can break into others,” said Brooks.

3. Service providers must accept responsibility

Third party service providers must now acknowledge, in writing, that they are responsible for keeping cardholder data safe. Before, they just had to say that they would be PCI compliant — this takes it one step further.

If there’s a breach, the merchant is still going to be the one hit with fines and other costs.

“But if there’s gross negligence, you could pursue litigation for reimbursement,” said Brooks.

Say, for example, the service provider has a single access credential for all their employees and customer accounts, which leads to a breach.

“If you find out that the service provider wasn’t doing all the things they needed to do, you could sue them in civil court,” he said.

4. Protect payment terminals

Merchants have long been expected to make sure their point of sale devices were secure, but now there’s a specific requirement to do regular inspections of devices to ensure that they weren’t tampered with.

[ ALSO 5 ways PCI is becoming more security-conscious next year ]

For example, when cashiers start their shifts, they can be trained to inspect their terminals to make sure they haven’t been touched. These employees use the equipment on a regular basis, and would be the first to notice if something had changed.

“The real risk is that a bad guy comes in and swaps your terminal or tinkers with it,” Brooks said.

5. Pen test your PCI environment

Penetration has been part of the PCI DSS since version 1.2, but there were few concrete details about exactly what this meant.

“If you go to five different vendors, you’ll get five different offerings,” said Brooks.

Now, there are specifics.

“There was some guidance that was issued a couple of weeks ago,” he said. “The focus now is to test from any internal locations that aren’t part of the cardholder environment into the cardholder environment. To check the walls that we built to keep the PCI environment safe from everywhere else.”

Fines, fees, and penalties — oh, my!

What happens to merchants who don’t comply? It’s going to cost them some money.

“Often we see fines in the $100,000 to $500,000 range,” he said. “But that is just the beginning.”

A breach that results in the loss of 10,000 credit card numbers will result in a fine of about $250,000 from the card brand.

Small merchants that previously were able to self-assess may now be required to hire auditors to do their PCI assessments, which will add between $50,000 and $100,000 in expenses.

Then there are the costs of issuing new cards, paying for credit monitoring — and the loss of customers who’ve heard about the breach and don’t trust you any more.

The biggest change, of course, is the liability shift. If there is a fraudulent purchase — and the merchant hasn’t yet upgraded to the new EMV smartcard readers — then the merchant is responsible for the losses. This goes into effect in October.